The 2 types of e-mails forwarding
Email forwarding in Exchange Online can be configured in two places:
1) Inbox Rules Forwarding (Outlook)
Normal Users can configure forwarding by creating inbox rules to automatically forward emails to another address directly from the Outlook application :
2) SMTP Forwarding (Exchange Admin Portal)
Administrative users can set up SMTP forwarding to redirect emails to another address directly from the Exchange Admin Center.
How to audit e-mails forwarding in your organization?
To audit e-mails forwarding in your organization you can connect to the new Exchange Online report showcasing all forwarded messages :
Or you could run some Powershell commands like the ones described in the article here :
You can also set alerts to be alerted whenever a forwarding rule is configured :
From there, you might have noticed forwards that appear legitimate from a business perspective.
However, there might also be e-mail forwards to personal mailboxes or unknown domains that you wish to prevent.
How to restrict the domains that are allowed to received forwarded e-mails?
Here’s how you can manage and restrict such forwarding:
1- Configure the Default Outbound Anti-Spam Policy:
Enable automatic forwarding in the default outbound anti-spam policy.
If automatic forwarding is blocked at this level, all forwarded emails will be stopped. Since it’s necessary to allow forwarding to certain domains (For example to forward invoices to the mailbox used by an automatic invoices management SaaS solution), this setting should be enabled.
2- Configure “Remote Domains” Rules:
Establish rules for “remote domains” to authorize the forwarding of emails to specific domains that are considered legitimate and safe for receiving forwarded emails :
3- Adjust the Default “Remote Domains” Rule:
Modify the default “remote domains” rule to block forwarded emails unless a domain has been specifically authorized as outlined in step 2 :
If you would like to further control who is authorized to forward emails to the approved remote domains, follow these two additional steps:
4- Create an outbound antispam policy to authorize a list of users to forward e-mails :
5- Configure the “default” outbound antispam policy to disallow automatic forwarding :
By implementing these five steps, you will have effectively controlled automatic email forwarding within your organization.
Your organization is now protected against data leaks through the forwarding of emails to external entities over which you have no control.
Official documentation from Microsoft :